feat: Add rename locals, deep scan constructor/singleton

1) It's possible to transform v1 = v2 into v1 = _v1 or _v2 = v2
2) All variables apearing as return from some function can be
deep scanned at once from that function
3) Remove some false-positive error messages when scanning

Author: Igor Kirillov

.gitignore

@@ -6,6 +6,7 @@
 *.user
 *.sln.docstates
 *.coati*
+*.pyc
 
 # Build results
 [Dd]ebug/

HexRaysPyTools.py

@@ -27,6 +27,9 @@ def hexrays_events_callback(*args):
         if Actions.RecastItemLeft.check(hx_view.cfunc, item):
             idaapi.attach_action_to_popup(form, popup, Actions.RecastItemLeft.name, None)
 
+        if Actions.RenameOther.check(hx_view.cfunc, item):
+            idaapi.attach_action_to_popup(form, popup, Actions.RenameOther.name, None)
+
         if Actions.RenameInside.check(hx_view.cfunc, item):
             idaapi.attach_action_to_popup(form, popup, Actions.RenameInside.name, None)
 
@@ -43,6 +46,7 @@ def hexrays_events_callback(*args):
             if not hx_view.cfunc.entry_ea == idaapi.BADADDR:  # Probably never happen
                 idaapi.attach_action_to_popup(form, popup, Actions.AddRemoveReturn.name, None)
                 idaapi.attach_action_to_popup(form, popup, Actions.ConvertToUsercall.name, None)
+                idaapi.attach_action_to_popup(form, popup, Actions.DeepScanReturn.name, None)
 
         elif item.citype == idaapi.VDI_LVAR:
             # If we clicked on argument
@@ -172,11 +176,13 @@ def init():
         Actions.register(Actions.ConvertToUsercall)
         Actions.register(Actions.ShallowScanVariable, Helper.temporary_structure)
         Actions.register(Actions.DeepScanVariable, Helper.temporary_structure)
+        Actions.register(Actions.DeepScanReturn, Helper.temporary_structure)
         Actions.register(Actions.RecognizeShape)
         Actions.register(Actions.SelectContainingStructure, potential_negatives)
         Actions.register(Actions.ResetContainingStructure)
         Actions.register(Actions.RecastItemRight)
         Actions.register(Actions.RecastItemLeft)
+        Actions.register(Actions.RenameOther)
         Actions.register(Actions.RenameInside)
         Actions.register(Actions.RenameOutside)
 
@@ -209,11 +215,13 @@ def term():
         Actions.unregister(Actions.ConvertToUsercall)
         Actions.unregister(Actions.ShallowScanVariable)
         Actions.unregister(Actions.DeepScanVariable)
+        Actions.unregister(Actions.DeepScanReturn)
         Actions.unregister(Actions.RecognizeShape)
         Actions.unregister(Actions.SelectContainingStructure)
         Actions.unregister(Actions.ResetContainingStructure)
         Actions.unregister(Actions.RecastItemRight)
         Actions.unregister(Actions.RecastItemLeft)
+        Actions.unregister(Actions.RenameOther)
         Actions.unregister(Actions.RenameInside)
         Actions.unregister(Actions.RenameOutside)
         idaapi.term_hexrays_plugin()

HexRaysPyTools/Actions.py

@@ -3,13 +3,14 @@
 import re
 
 import idaapi
+import idc
 
 import HexRaysPyTools.Forms as Forms
 import HexRaysPyTools.Core.Const as Const
 import HexRaysPyTools.Core.Helper as Helper
 from HexRaysPyTools.Core.StructureGraph import StructureGraph
 from HexRaysPyTools.Core.TemporaryStructure import VirtualTable, TemporaryStructureModel
-from HexRaysPyTools.Core.VariableScanner import ShallowSearchVisitor, DeepSearchVisitor
+from HexRaysPyTools.Core.VariableScanner import ShallowSearchVisitor, DeepSearchVisitor, VariableLookupVisitor
 from HexRaysPyTools.Core.Helper import FunctionTouchVisitor
 
 RECAST_LOCAL_VARIABLE = 0
@@ -83,7 +84,7 @@ def choose_til():
         if library_num != -1:
             selected_library = list_type_library[library_num][0]
             max_ordinal = idaapi.get_ordinal_qty(selected_library)
-            if max_ordinal == idaapi.BADNODE:
+            if max_ordinal == idaapi.BADORD:
                 TypeLibrary.enable_library_ordinals(library_num - 1)
                 max_ordinal = idaapi.get_ordinal_qty(selected_library)
             print "[DEBUG] Maximal ordinal of lib {0} = {1}".format(selected_library.name, max_ordinal)
@@ -95,7 +96,7 @@ def import_type(library, name):
         if library.name != idaapi.cvar.idati.name:
             last_ordinal = idaapi.get_ordinal_qty(idaapi.cvar.idati)
             type_id = idaapi.import_type(library, -1, name)  # tid_t
-            if type_id != idaapi.BADNODE:
+            if type_id != idaapi.BADORD:
                 return last_ordinal
         return None
 
@@ -280,6 +281,7 @@ def activate(self, ctx):
             scanner.process()
             for field in scanner.candidates:
                 self.temporary_structure.add_row(field)
+            scanner.clear()
 
     def update(self, ctx):
         if ctx.form_title[0:10] == "Pseudocode":
@@ -300,6 +302,9 @@ def __init__(self, temporary_structure):
     def activate(self, ctx):
         hx_view = idaapi.get_tform_vdui(ctx.form)
         variable = hx_view.item.get_lvar()  # lvar_t
+        self.scan(hx_view, variable)
+
+    def scan(self, hx_view, variable):
         if variable and filter(lambda x: x.equals_to(variable.type()), Const.LEGAL_TYPES):
             definition_address = variable.defea
             # index = list(hx_view.cfunc.get_lvars()).index(variable)
@@ -313,6 +318,61 @@ def activate(self, ctx):
             scanner.process()
             for field in scanner.candidates:
                 self.temporary_structure.add_row(field)
+            scanner.clear()
+
+    def update(self, ctx):
+        if ctx.form_title[0:10] == "Pseudocode":
+            return idaapi.AST_ENABLE_FOR_FORM
+        return idaapi.AST_DISABLE_FOR_FORM
+
+
+class DeepScanReturn(idaapi.action_handler_t):
+
+    name = "my:DeepScanReturn"
+    description = "Deep Scan Returned Variables"
+    hotkey = None
+
+    def __init__(self, temporary_structure):
+        self.temporary_structure = temporary_structure
+        idaapi.action_handler_t.__init__(self)
+
+    @staticmethod
+    def check(ctx):
+        hx_view = idaapi.get_tform_vdui(ctx.form)
+        return hx_view.cfunc.get_rettype().equals_to(Const.VOID_TINFO)
+
+    def activate(self, ctx):
+        hx_view = idaapi.get_tform_vdui(ctx.form)
+        address = hx_view.cfunc.entry_ea
+
+        xref_ea = idaapi.get_first_cref_to(address)
+        xrefs = set()
+        while xref_ea != idaapi.BADADDR:
+            xref_func_ea = idc.GetFunctionAttr(xref_ea, idc.FUNCATTR_START)
+            if xref_func_ea != idaapi.BADADDR:
+                xrefs.add(xref_func_ea)
+            else:
+                print "[Warning] Function not found at 0x{0:08X}".format(xref_ea)
+            xref_ea = idaapi.get_next_cref_to(address, xref_ea)
+
+        for func_ea in xrefs:
+            visitor = VariableLookupVisitor(address)
+
+            try:
+                cfunc = idaapi.decompile(func_ea)
+                if cfunc:
+                    FunctionTouchVisitor(cfunc).process()
+                    visitor.apply_to(cfunc.body, None)
+                    for idx in visitor.result:
+                        scanner = DeepSearchVisitor(cfunc, 0, idx)
+                        scanner.process()
+                        for field in scanner.candidates:
+                            self.temporary_structure.add_row(field)
+
+            except idaapi.DecompilationFailure:
+                print "[Warning] Failed to decompile function at 0x{0:08X}".format(xref_ea)
+
+        DeepSearchVisitor.clear()
 
     def update(self, ctx):
         if ctx.form_title[0:10] == "Pseudocode":
@@ -693,6 +753,51 @@ def check(cfunc, ctree_item):
                     return RECAST_RETURN, new_type, expression.x.x.obj_ea
 
 
+class RenameOther(idaapi.action_handler_t):
+    name = "my:RenameOther"
+    description = "Take other name"
+    hotkey = "Ctrl+N"
+
+    def __init__(self):
+        idaapi.action_handler_t.__init__(self)
+
+    @staticmethod
+    def check(cfunc, ctree_item):
+        if ctree_item.citype != idaapi.VDI_EXPR:
+            return
+
+        expression = ctree_item.it.to_specific_type
+        if expression.op != idaapi.cot_var:
+            return
+
+        parent = cfunc.body.find_parent_of(expression).to_specific_type
+        if parent.op != idaapi.cot_asg:
+            return
+
+        other = parent.theother(expression)
+        if other.op != idaapi.cot_var:
+            return
+
+        this_lvar = ctree_item.get_lvar()
+        other_lvar = cfunc.get_lvars()[other.v.idx]
+        if (other_lvar.has_user_name or other_lvar.is_arg_var and re.search("a\d*$", other_lvar.name) is None) \
+                and this_lvar.name.lstrip('_') != other_lvar.name.lstrip('_'):
+            return '_' + other_lvar.name, this_lvar
+
+    def activate(self, ctx):
+        hx_view = idaapi.get_tform_vdui(ctx.form)
+        result = self.check(hx_view.cfunc, hx_view.item)
+
+        if result:
+            name, lvar = result
+            hx_view.rename_lvar(lvar, name, True)
+
+    def update(self, ctx):
+        if ctx.form_title[0:10] == "Pseudocode":
+            return idaapi.AST_ENABLE_FOR_FORM
+        return idaapi.AST_DISABLE_FOR_FORM
+
+
 class RenameInside(idaapi.action_handler_t):
     name = "my:RenameInto"
     description = "Rename inside argument"
@@ -717,8 +822,8 @@ def check(cfunc, ctree_item):
                     func_tinfo = parent.x.type.get_pointed_object()
                     func_data = idaapi.func_type_data_t()
                     func_tinfo.get_func_details(func_data)
-                    if arg_index < func_tinfo.get_nargs() and lvar.name != func_data[arg_index].name:
-                        return func_tinfo, parent.x.obj_ea, arg_index, lvar.name
+                    if arg_index < func_tinfo.get_nargs() and lvar.name.lstrip('_') != func_data[arg_index].name:
+                        return func_tinfo, parent.x.obj_ea, arg_index, lvar.name.lstrip('_')
 
     def activate(self, ctx):
         hx_view = idaapi.get_tform_vdui(ctx.form)

HexRaysPyTools/Core/Helper.py

@@ -160,9 +160,7 @@ def touch_all(self):
             try:
                 cfunc = idaapi.decompile(address)
                 if cfunc:
-                    touch_visitor = FunctionTouchVisitor(cfunc)
-                    touch_visitor.apply_to(cfunc.body, None)
-                    touch_visitor.touch_all()
+                    FunctionTouchVisitor(cfunc).process()
             except idaapi.DecompilationFailure:
                 print "[ERROR] IDA failed to decompile function at 0x{address:08X}".format(address=address)
         idaapi.decompile(self.cfunc.entry_ea)

HexRaysPyTools/Core/TemporaryStructure.py

@@ -156,9 +156,9 @@ def name(self):
         name = idaapi.get_short_name(self.address)
         name = name.split('(')[0]
         result = re.search(r"(\[thunk\]:)?([^`]*)(.*\{(\d+)}.*)?", name)
-        name, adjustor = result.group(2), result.group(4)
-        if adjustor:
-            name += "_adj_" + adjustor
+        name, adjuster = result.group(2), result.group(4)
+        if adjuster:
+            name += "_adj_" + adjuster
         name = name.translate(None, "`'").replace(' ', '_')
         name = re.sub(r'[<>]', '_t_', name)
         return name

HexRaysPyTools/Core/VariableScanner.py

@@ -115,6 +115,7 @@ def check_member_assignment(self, expression, index):
                 # Assignment like (v1 = v2) where v2 is scanned variable
                 if parents[0].x.op == idaapi.cot_var:
                     self.add_variable(parents[0].x.v.idx)
+                    return
             else:
                 # if expression is (var = something), we have to explore whether continue to scan this variable or not
                 if parents[0].y.op != idaapi.cot_num:
@@ -139,7 +140,7 @@ def check_member_assignment(self, expression, index):
                             index, self.expression_address
                         )
                         self.variables.pop(index)
-                        return
+                    return
 
         # Assignment like v1 = (TYPE) v2 where TYPE is one the supported types
         elif parents_type[0:3] == ['cast', 'asg', 'expr']:
@@ -166,14 +167,15 @@ def check_member_assignment(self, expression, index):
                 offset = parents[0].theother(expression).numval()
 
                 if parents_type[2] == 'ptr':
-                    if parents_type[3] == 'asg' and parents[3].x == parents[2]:
-                        # *(TYPE *)(var + x) = ???
-                        return self.get_member(
-                            offset, index, object=parents[3].y, default=parents[1].type.get_pointed_object()
-                        )
-                    # other_var = *(TYPE *)(var + x)
-                    if parents[3].x.op == idaapi.cot_var:
-                        return self.create_member(offset, index, parents[3].x.type)
+                    if parents_type[3] == 'asg':
+                        if parents[3].x == parents[2]:
+                            # *(TYPE *)(var + x) = ???
+                            return self.get_member(
+                                offset, index, object=parents[3].y, default=parents[1].type.get_pointed_object()
+                            )
+                        if parents[3].x.op == idaapi.cot_var:
+                            # other_var = *(TYPE *)(var + x)
+                            return self.create_member(offset, index, parents[3].x.type)
                     return self.create_member(offset, index, parents[1].type.get_pointed_object())
 
                 elif parents_type[2] == 'call':
@@ -217,6 +219,7 @@ def check_member_assignment(self, expression, index):
                 elif parents_type[1] == 'asg':
                     if parents[1].y == parents[0] and parents[1].x.op == idaapi.cot_var:
                         self.scan_function(self.function.entry_ea, offset, parents[1].x.v.idx)
+                        return
 
             elif parents_type[0] == 'asg':
                 # var = (int)&Some_object
@@ -324,6 +327,9 @@ def check_member_assignment(self, expression, index):
                     # *var
                     return self.create_member(0, index, self.variables[index].get_pointed_object())
 
+                elif parents_type[0] == 'asg':
+                    return
+
         if 'return' not in parents_type[0:2] and parents_type[0] not in ('if', 'band', 'eq', 'ne', 'cast'):
             print "[DEBUG] Unhandled type", self.variables[index].dstr(), \
                 "Index:", index, \
@@ -338,6 +344,9 @@ def process(self):
         don't wind up in infinite recursion.
         """
         self.apply_to(self.function.body, None)
+
+    @staticmethod
+    def clear():
         scanned_functions.clear()
 
 
@@ -362,3 +371,26 @@ def scan_function(self, ea, offset, arg_index):
                 self.candidates.extend(scanner.candidates)
         except idaapi.DecompilationFailure:
             print "[ERROR] Ida failed to decompile function"
+
+
+class VariableLookupVisitor(idaapi.ctree_parentee_t):
+    """ Helps to find all variables that are returned by some function placed at func_address """
+
+    def __init__(self, func_address):
+        super(VariableLookupVisitor, self).__init__()
+        self.func_address = func_address
+        self.result = []
+
+    def visit_expr(self, expression):
+        # We are looking for expressions like `var = func(...)` or `var = (TYPE) func(...)`
+        if expression.op == idaapi.cot_asg and expression.x.op == idaapi.cot_var:
+            if expression.y.op == idaapi.cot_call:
+                if self.__check_call(expression.y) or \
+                        expression.y.op == idaapi.cot_cast and expression.y.x.op == idaapi.cot_call:
+
+                    idx = expression.x.v.idx
+                    self.result.append(idx)
+        return 0
+
+    def __check_call(self, expression):
+        return expression.x.obj_ea == self.func_address